ISO/IEC 27018 Privacy in the Cloud
Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Date: July 2014
Creator: ISO/IEC JTC1/SC27
Description: The intention of this International Standard, when used in conjunction with the information security objectives and controls in ISO/IEC 27002, is to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. It has the following objectives. — To help the public cloud service provider to comply with applicable obligations when acting as a PII processor, whether such obligations fall on the PII processor directly or through contract. — To enable the public cloud PII processor to be transparent in relevant matters so that cloud service customers can select well-governed cloud-based PII processing services. — To assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement. — To provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multi-party, virtualized server (cloud) environment might be impractical technically and might increase risks to those physical and logical network security controls in place.
This International Standard does not replace applicable legislation and regulations, but can assist by providing a common compliance framework for public cloud service providers, in particular those that operate in a multinational market.
Privacy: It is essential that an organization identifies its requirements for the protection of PII. There are three main sources of requirement, as given below. a) Legal, Statutory, Regulatory and Contractual Requirements: One source is the legal, statutory, regulatory and contractual requirements and obligations that an organization, its trading partners, contractors and service providers have to satisfy, and their socio-cultural responsibilities and operating environment. It should be noted that legislation, regulations and contractual commitments made by the PII processor might mandate the selection of particular controls and might also necessitate specific criteria for implementing those controls. These requirements can vary from one jurisdiction to another. b) Risks: Another source is derived from assessing risks to the organization associated with PII, taking into account the organization’s overall business strategy and objectives. Through a risk assessment, threats are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated. ISO/IEC 27005 provides information security risk management guidance, including advice on risk assessment, risk acceptance, risk communication, risk monitoring and risk review. ISO/IEC 29134 provides guidance on privacy impact assessment. c) Corporate policies: While many aspects covered by a corporate policy are derived from legal and socio-cultural obligations, an organization might also choose voluntarily to go beyond the criteria that are derived from the requirements of a).
Security: There are sections of the Standard covering Information security policies, including management direction for information security; the organization of information security; human resource security; access control; cryptography; physical and environmental security; as well as operations and communications security - all in line with the provisions of ISO/IEC 27001.